f2e3f685256e5f31b05fc9f9ca470f527d7fdae28fa3190c8eba179473e20789

Analysis

max time kernel
120s
max time network
125s
platform
windows10_x64
resource
win10-en-20211208
submitted
12/12/2021, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FecitAntiques.exe
Size

12KB
MD5

6ac57a1e090e7abdb9b7212e058c43c6
SHA1

0a1e239348a73b1a95ac1767c8afebe4b98cdeff
SHA256

f2e3f685256e5f31b05fc9f9ca470f527d7fdae28fa3190c8eba179473e20789
SHA512

95748e2a5c90440206a815960eb864b787562d9dbe5d57a3279ef71d24143ff6f0f963925836623bfcb02914c0c0dea3cc0f731860c88101710659c445287a9e

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RedoGet.png => C:\Users\Admin\Pictures\RedoGet.png.khonsari	FecitAntiques.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	FecitAntiques.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	FecitAntiques.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 800	3788	FecitAntiques.exe	69
PID 3788 wrote to memory of 800	3788	FecitAntiques.exe	69

C:\Users\Admin\AppData\Local\Temp\FecitAntiques.exe
"C:\Users\Admin\AppData\Local\Temp\FecitAntiques.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO GET YOUR FILES BACK.TXT
  2⤵
  PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3788-115-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3788-117-0x000000001B440000-0x000000001B442000-memory.dmp

Filesize
8KB

Download